# This set of rules is an attempt at sane host firewalling. # Please use the examples to adjust accordingly for your host. # # There are two sets or rules below. One for incoming traffic and a second # for outgoing traffic. Both need to be uncommented. # These rulesets were designed for ease not optimization. # Harry Hoffman # block in on all block out on all # Start with allowing all traffic on the loopback unconditionally pass in quick on lo0 all pass out quick on lo0 all # Block any packets that have source-route set block in log quick all with opt lsrr block in log quick all with opt ssrr # Block all packets that are short, fragmented, or have options set block in log quick all with short block in log quick all with ipopts # Don't quickly block fragments, just in case block in log all with frags # Attempt to hide from any nmap scans block in log quick proto tcp all flags FUP block in log quick proto tcp all flags SF/SFRA block in log quick proto tcp all flags /SFRA # Send back a RST packet for attempts to do ident (many stmp servers) block return-rst in quick proto tcp from any to any port = 113 flags S/SA ########################################################################### # Incoming Rulesets ########################################################################### # Allow ssh from anywhere on any interface pass in quick proto tcp from any to any port = 22 flags S keep state # This is for a standard web server for both http/https # Remove keep state if too many requests are coming in. #pass in quick proto tcp from any to any port = 80 flags S keep state #pass in quick proto tcp from any to any port = 443 flags S keep state # This is for a standard SMTP server #pass in quick proto tcp from any to any port = 25 flags S keep state #pass in quick proto tcp from any to any port = 587 flags S keep state # This is for an IMAP and S/IMAP server #pass in quick proto tcp from any to any port = 143 flags S keep state #pass in quick proto tcp from any to any port = 993 flags S keep state # This is for a standard DNS server #pass in quick proto udp from any to any port = 53 keep state # This next one uses TCP which is usually only for zone transfers (caution!) #pass in quick proto tcp from any to any port = 53 keep state # This is for an LDAP and S/LDAP server # Use the first one with caution as regular LDAP passes everything in clear. #pass in quick proto tcp from any to any port = 389 flags S keep state #pass in quick proto tcp from any to any port = 636 flags S keep state # Allow passive ftp sessions to leave this server pass out quick proto tcp from any to any port > 1023 flags S keep state # Allow traceroute, dest unreachable, and time-exceeded back in pass in quick proto icmp from any to any icmp-type 3 keep state pass in quick proto icmp from any to any icmp-type 11 keep state ############################################################################ # Outgoing Rulesets ############################################################################ # Allow ssh from anywhere on any interface pass out quick proto tcp from any to any port = 22 flags S keep state # This is for a standard web requests (both http/https) # Remove keep state if too many requests are coming in. pass out quick proto tcp from any to any port = 80 flags S keep state pass out quick proto tcp from any to any port = 443 flags S keep state # This is for a standard SMTP connections to mailservers pass out quick proto tcp from any to any port = 25 flags S keep state pass out quick proto tcp from any to any port = 587 flags S keep state # This is for an IMAP and S/IMAP server #pass out quick proto tcp from any to any port = 143 flags S keep state #pass out quick proto tcp from any to any port = 993 flags S keep state # This is for a standard DNS client pass out quick proto udp from any to any port = 53 keep state # This next one uses TCP which is usually only for zone transfers. #pass out quick proto tcp from any to any port = 53 keep state # This allows for LDAP and S/LDAP clients # Use the first one with caution as regular LDAP passes everything in clear. #pass out quick proto tcp from any to any port = 389 flags S keep state #pass out quick proto tcp from any to any port = 636 flags S keep state # This is for FTP clients from your host to outside (passive) pass out quick proto tcp from any to any port = 21 flags S keep state # This is for outgoing traceroutes (step 1, see incoming rules for step 2) pass out quick proto udp from any to any port 33434 >< 33525 keep state # This is for outgoing pings pass out quick proto icmp from any to any keep state ############################################################################# # All Done ##############################################################################